The present invention relates to runtime protection of Web services, and more particularly to automatically instrumenting Web service application code to detect potential vulnerabilities.
Perfect enforcement of a security specification, for example to avoid all possible instances of an injection vulnerability like SQL injection, is a hard problem. This is true in general, and specifically when the person responsible for implementing the security defenses is a software engineer without any special background in application security.
This problematic situation is the reason for many reports of severe security attacks against Web sites owned by banks, corporations and governments. In response, a variety of testing and analysis tools have been developed to detect potential security vulnerabilities. These include algorithms for static security verification like IBM AppScanSrc, as well as black-box and glass-box security testing products like IBM AppScanStd. IBM is a registered trademark of International Business Machines Corporation in the US and/or other countries.
While automated tools assist the developer in discovering potential security problems, the responsibility for fixing these problems ultimately remains in the hands of the developer. This means that if the security fix the developer has applied is wrong, or partial, then the application is still released in a vulnerable state.
Another related serious problem is that the quality of the analysis performed by the automated algorithm critically depends on how comprehensive and accurate the algorithm's configuration is. One example is the need by the user to input all sanitizer and validator methods appearing in the application's scope when using tools like IBM AppScanSrc. If the user inputs a wrong or broken defense, then this can result in false negatives. If, on the other hand, the user forgets to include a correct defense, then false positives are likely.